Results 1  10
of
132
Proving the Correctness of Multiprocess Programs
, 1977
"... The inductive assertion method is generalized to permit formal, machineverifiable proofs of correctness for multiprocess programs. Individual processes are represented by ordinary flowcharts, and no special synchronization mechanisms are assumed, so the method can be applied to a large class of mul ..."
Abstract

Cited by 305 (20 self)
 Add to MetaCart
The inductive assertion method is generalized to permit formal, machineverifiable proofs of correctness for multiprocess programs. Individual processes are represented by ordinary flowcharts, and no special synchronization mechanisms are assumed, so the method can be applied to a large class of multiprocess programs. A correctness proof can be designed together with the program by a hierarchical process of stepwise refinement, making the method practical for larger programs. The resulting proofs tend to be natural formalizations of the informal proofs that are now used.
Universal coalgebra: a theory of systems
, 2000
"... In the semantics of programming, nite data types such as finite lists, have traditionally been modelled by initial algebras. Later final coalgebras were used in order to deal with in finite data types. Coalgebras, which are the dual of algebras, turned out to be suited, moreover, as models for certa ..."
Abstract

Cited by 298 (31 self)
 Add to MetaCart
In the semantics of programming, nite data types such as finite lists, have traditionally been modelled by initial algebras. Later final coalgebras were used in order to deal with in finite data types. Coalgebras, which are the dual of algebras, turned out to be suited, moreover, as models for certain types of automata and more generally, for (transition and dynamical) systems. An important property of initial algebras is that they satisfy the familiar principle of induction. Such a principle was missing for coalgebras until the work of Aczel (NonWellFounded sets, CSLI Leethre Notes, Vol. 14, center for the study of Languages and information, Stanford, 1988) on a theory of nonwellfounded sets, in which he introduced a proof principle nowadays called coinduction. It was formulated in terms of bisimulation, a notion originally stemming from the world of concurrent programming languages. Using the notion of coalgebra homomorphism, the definition of bisimulation on coalgebras can be shown to be formally dual to that of congruence on algebras. Thus, the three basic notions of universal algebra: algebra, homomorphism of algebras, and congruence, turn out to correspond to coalgebra, homomorphism of coalgebras, and bisimulation, respectively. In this paper, the latter are taken
Relations in Concurrency
"... The theme of this paper is profunctors, and their centrality and ubiquity in understanding concurrent computation. Profunctors (a.k.a. distributors, or bimodules) are a generalisation of relations to categories. Here they are first presented and motivated via spans of event structures, and the seman ..."
Abstract

Cited by 263 (33 self)
 Add to MetaCart
The theme of this paper is profunctors, and their centrality and ubiquity in understanding concurrent computation. Profunctors (a.k.a. distributors, or bimodules) are a generalisation of relations to categories. Here they are first presented and motivated via spans of event structures, and the semantics of nondeterministic dataflow. Profunctors are shown to play a key role in relating models for concurrency and to support an interpretation as higherorder processes (where input and output may be processes). Two recent directions of research are described. One is concerned with a language and computational interpretation for profunctors. This addresses the duality between input and output in profunctors. The other is to investigate general spans of event structures (the spans can be viewed as special profunctors) to give causal semantics to higherorder processes. For this it is useful to generalise event structures to allow events which “persist.”
Logics and Models of Real Time: A Survey
"... We survey logicbased and automatabased languages and techniques for the specification and verification of realtime systems. In particular, we discuss three syntactic extensions of temporal logic: timebounded operators, freeze quantification, and time variables. We also discuss the extension of ..."
Abstract

Cited by 184 (16 self)
 Add to MetaCart
We survey logicbased and automatabased languages and techniques for the specification and verification of realtime systems. In particular, we discuss three syntactic extensions of temporal logic: timebounded operators, freeze quantification, and time variables. We also discuss the extension of finitestate machines with clocks and the extension of transition systems with time bounds on the transitions. All of the resulting notations can be interpreted over a variety of different models of time and computation, including linear and branching time, interleaving and true concurrency, discrete and continuous time. For each choice of syntax and semantics, we summarize the results that are known about expressive power, algorithmic finitestate verification, and deductive verification.
Petri Nets
 ACM Computing Surveys
, 1977
"... Over the last decade, the Petri net has gamed increased usage and acceptance as a basic model of systems of asynchronous concurrent computation. This paper surveys the basic concepts and uses of Petm nets. The structure of Petri nets, their markings and execution, several examples of Petm net models ..."
Abstract

Cited by 174 (0 self)
 Add to MetaCart
Over the last decade, the Petri net has gamed increased usage and acceptance as a basic model of systems of asynchronous concurrent computation. This paper surveys the basic concepts and uses of Petm nets. The structure of Petri nets, their markings and execution, several examples of Petm net models of computer hardware and software, and
What Good Are Digital Clocks?
, 1992
"... . Realtime systems operate in "real," continuous time and state changes may occur at any realnumbered time point. Yet many verification methods are based on the assumption that states are observed at integer time points only. What can we conclude if a realtime system has been shown "correct" ..."
Abstract

Cited by 110 (14 self)
 Add to MetaCart
. Realtime systems operate in "real," continuous time and state changes may occur at any realnumbered time point. Yet many verification methods are based on the assumption that states are observed at integer time points only. What can we conclude if a realtime system has been shown "correct" for integral observations? Integer time verification techniques suffice if the problem of whether all realnumbered behaviors of a system satisfy a property can be reduced to the question of whether the integral observations satisfy a (possibly modified) property. We show that this reduction is possible for a large and important class of systems and properties: the class of systems includes all systems that can be modeled as timed transition systems; the class of properties includes timebounded invariance and timebounded response. 1 Introduction Over the past few years, we have seen a proliferation of formal methodologies for software and hardware design that emphasize the treatm...
A Classification of Security Properties for Process Algebras
 JOURNAL OF COMPUTER SECURITY
, 1994
"... Several information flow security definitions, proposed in the literature, are generalized and adapted to the model of labelled transition systems. This very general model has been widely used as a semantic domain for many process algebras, e.g. CCS. As a byproduct, we provide a process algebra sim ..."
Abstract

Cited by 106 (16 self)
 Add to MetaCart
Several information flow security definitions, proposed in the literature, are generalized and adapted to the model of labelled transition systems. This very general model has been widely used as a semantic domain for many process algebras, e.g. CCS. As a byproduct, we provide a process algebra similar to CCS with a set of security notions, hence relating these two areas of concurrency research. A classification of these generalized security definitions is presented, taking into account also the additional property of input totality, which can influence this taxonomy. We also show that some of these security properties are composable w.r.t. the operators of parallelism and action restriction.
Classification of Security Properties (Part I: Information Flow)
, 2001
"... In the recent years, many formalizations of security properties have been proposed, most of which are based on different underlying models and are consequently difficult to compare. A classification of security properties is thus of interest for understanding the relationships among different defini ..."
Abstract

Cited by 90 (16 self)
 Add to MetaCart
In the recent years, many formalizations of security properties have been proposed, most of which are based on different underlying models and are consequently difficult to compare. A classification of security properties is thus of interest for understanding the relationships among different definitions and for evaluating the relative merits. In this paper, many noninterferencelike properties proposed for computer security are classified and compared in a unifying framework. The resulting taxonomy is evaluated through some case studies of access control in computer systems. The approach has been mechanized, resulting in the tool CoSeC. Various extensions (e.g., the application to cryptographic protocol analysis) and open problems are discussed. This paper
Reasoning about Rings
, 1995
"... The ring is a useful means of structuring concurrent processes. Processes communicate by passing a token in a fixed direction; the process that possesses the token is allowed to perfrom certain actions. Usually, correctness properties are expected to hold irrespective of the size of the ring. We sho ..."
Abstract

Cited by 82 (6 self)
 Add to MetaCart
The ring is a useful means of structuring concurrent processes. Processes communicate by passing a token in a fixed direction; the process that possesses the token is allowed to perfrom certain actions. Usually, correctness properties are expected to hold irrespective of the size of the ring. We show that the problem of checking many useful correctness properties for rings of all sizes can be reduced to checking them on ring of sizes up to a small cutoff size. We apply our results to the verification of a mutual exclusion protocol and Milner's scheduler protocol. 1